Full Report
2025-06-03 • VMRay • Albert Zsigovits, VMRay • win.rhadamanthys Open article on Malpedia
Analysis Summary
# Main Topic
Analysis and reporting on the malware family "win.rhadamanthys," specifically highlighting observed TTPs where the malware utilizes large installer files to conceal its presence.
## Key Points
- The report focuses on new techniques employed by the Rhadamanthys malware observed in the wild.
- The primary notable finding is the evasion technique leveraging large installer files to mask or deliver the malware payload.
- The analysis originates from work performed by VMRay and authored by Albert Zsigovits.
- The analysis references the `win.rhadamanthys` entry on Malpedia, suggesting a detailed technical breakdown is available there.
## Threat Actors
- The primary threat actor/malware group under examination is **Rhadamanthys**.
- Attribution details beyond the malware family name are not explicitly mentioned in the provided context snippet.
## TTPs
- **Evasion via Large Installers:** The core TTP detailed is the use of large installer files to facilitate the malware's operational introduction or delivery, likely to bypass static analysis or detection based on file size heuristics.
- Specific MITRE ATT&CK techniques are not listed in this context summary.
## Affected Systems
- The context explicitly references **win.rhadamanthys**, indicating targets are **Windows** operating systems.
- No further specifics on victim sectors or versions are provided.
## Mitigations
- Specific, actionable mitigations are not detailed in this introductory context.
- Implied mitigation may involve enhanced behavioral analysis of large installer processes or heuristic scanning for embedded suspicious payloads within legitimate-looking installers.
## Conclusion
Rhadamanthys continues to evolve its delivery and evasion methods, now exploiting the use of large installation packages to remain undetected. Defenders should focus on scrutinizing the runtime behavior of large executables rather than purely relying on static content analysis. The full report from VMRay should be consulted for detailed technical indicators and prevention strategies.